Professional Documents
Culture Documents
1
Student Notebook
Uempty
References
SG24-7424 AIX 6.1 Advanced Security Features Introduction and Configuration Online AIX 6.1 Security Guide
Note: References listed as Online above are available at the following address: http://publib.boulder.ibm.com/infocenter/pseries/v6r1/index.jsp
14-1
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Unit objectives
After completing this unit, you should be able to: Define the concepts of users and groups, and explain how and when these should be allocated on the system Describe ways of controlling root access on the system Explain the uses of SUID, SGID, and SVTX permission bits Administer user accounts and groups Identify the data files associated with users and security
AU1412.0
Notes:
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-3
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
User accounts
Each user has a unique name, numeric ID, and password File ownership is determined by a numeric user ID The owner is usually the user who created the file, but ownership can be transferred by root Default users:
root adm, sys, bin, ... Superuser IDs that own system files but cannot be used for login
AU1412.0
File ownership
When a file is created, the UID associated with the process that created the file is assigned ownership of the file. Only the owner or root can change the access permissions.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-5
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Groups
A group is a set of users, all of whom need access to a given set of files. Every user is a member of at least one group and can be a member of several groups. The user has access to a file if any group in the users groupset provides access. To list the groupset, use the groups command. The user's real group ID is used for file ownership on creation. To change the real group ID, use the newgrp command. Default groups:
System administrators: system Ordinary users: staff
AU1412.0
Predefined groups
There are several groups predefined on an AIX system. For example, the system group is root's group and the staff group is for all ordinary users.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Types of groups
There are three types of groups on the system: - User Groups User groups should be made for people who need to share files on the system, such as people who work in the same department, or people who are working on the same project. - System Administrator Groups System administrators are automatically members of the system group. Membership of this group allows the administrators to perform some of the system tasks without having to be the root user. - System Defined Groups Several system-defined groups exist. staff is the default group for all non-administrative users created in the system. security is another system-defined group having limited privileges for performing security administration. The system-defined groups are used to control certain subsystems.
14-7
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Group hierarchy
AU1412.0
Common groups
Common groups on the system (and their intended uses) are as follows: system printq For most configuration and standard hardware and software maintenance. For managing queuing. Typical commands which can be run by members of this group are: enable, disable, qadm, qpri, and so forth.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
security
To handle most passwords and limits control. Typical commands which can be run by members of this group are: mkuser, rmuser, pwdadm, chuser, chgroup, and so forth. Most monitoring functions such as performance, cron, accounting Default group assigned to all new users. You may want to change this in /usr/lib/security/mkuser.defaults. For auditors. Allows use of the shutdown command.
14-9
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
User hierarchy
To protect important users and groups from members of the security group, AIX has admin users and admin groups Only root can add, remove, or change an admin user or admin group Any user on the system can be defined as an admin user regardless of the group they are in
root
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-11
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Security logs
/var/adm/sulog Audit trail of su activity
/var/adm/wtmp
/etc/utmp
/etc/security/failedlogin
AU1412.0
14-13
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
File/Directory permissions
File
Read content of file Modify content of file Use file name to execute as a command Run program with effective UID of owner Run program with effective GID of group --------
Perm. Bit
r w x SUID SGID
Directory
List content of directory Create and remove files in directory Give access to directory -------Files created in directory inherit the same group as the directory Must be owner of files to delete files from directory
AU1412.0
SVTX
14-15
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Reading permissions
r owner x w s S S r group w x r other x w t T
SUID only
SUID +x
SGID only
SGID +x
AU1412.0
14-17
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Changing permissions
4 SUID owner r w x 4 2 1 2 SGID group r w x 4 2 1 1 SVTX other r w x 4 2 1
14-19
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
You normally use the numeric values of 4, 2, and 1 to set r, w and x. That remains the same. To set the additional bits, you are affecting the x position in either the user, group or other area. If you assign numeric values to user (4), group (2), and other (1), these are the values that you insert into the fourth position to set the additional bit: - SUID is indicated in the user's area; therefore use a 4 in the fourth position - SGID is indicated in the group area; therefore use a 2 in the fourth position - SVTX is indicated in the others area; therefore use a 1 in the fourth position
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
umask
The umask governs permissions on new files and directories System default umask is 022 A umask of 027 is recommended If the umask value is set to 022, then any ordinary files or directories created inherit the following permissions:
Ordinary file: Directory: rw-r--r-rwxr-xr-x
AU1412.0
14-21
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Changing ownership
The chown command: # chown fred file1 The chgrp command: # chgrp staff file1 Changing both user and group ownership: # chown fred:staff file1 # chown fred.staff file1
AU1412.0
14-23
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-25
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Legacy RBAC
Starting with AIX 4.2, a form of RBAC was provided but was difficult to work with. Even though a user was assign a role, that user was often still unable to execute the associated tasks until a requisite command was converted to a set uid executable and the user was made a member of the associated command. In addition, the legacy framework was implemented without involvement of the kernel.
Enhanced RBAC
Starting with AIX 6.1, an enhanced form of RBAC is provided. The enhanced RBAC framework involves the kernel and thus is more secure. The new framework is also more granular and extensive than the legacy RBAC. Once a role is assigned to a user, they have the authorization to do the related tasks without having to play with file permissions or group membership. While the framework supports user defined privileged commands, authorizations and roles, AIX 6.1 SP1 provides 10 predefined roles that can be used without additional RBAC configuration. The details of the RBAC framework is outside the scope of this course.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
Notes: Overview
AIX 6.1 SP1 provides 10 predefined roles. The first three in the list provide authorization for broad task areas. The ones after that provide the ability to delegate smaller and more focused task areas which are a subset of what the first three provide. The following are only summaries of authorization. The complete and detail description can only be determined through researching the RBAC databases on your system.
14-27
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-29
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
AU1412.0
Notes: Introduction
This lab gives you a chance to look at some of the security files and allows you an opportunity to work with the SUID, SGID, and SVTX. The exercise can be found in your Student Exercises Guide.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-31
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Login sequence
getty login User enters login name User enters password Invalid Verify user name and password Valid Log entry in:
/etc/security/failedlogin
/etc/passwd /etc/security/passwd
shell
/etc/profile $HOME/.profile
Copyright IBM Corporation 2008
AU1412.0
Notes: Introduction
When a user attempts to log in, AIX checks a number of files to determine if entry is permitted to the system and, if permitted, what parts of the system the user can access. This section provides an overview of the checks performed during the login process.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Validation
When the user enters the password, it is checked. If the password is incorrect or if an invalid user name was given, then the login fails, and an entry is made in the file /etc/security/failedlogin. (Use the command who /etc/security/failedlogin to view this file.) The number of failed attempts is also tracked (by user account) in /etc/security/lastlog. The Login: prompt is redisplayed for another attempt. It is possible to set the characteristics for a user to prevent unlimited attempts on an account. If the number of attempts exceeds the maximum allowable failed attempts, the account is locked. If a user successfully enters the user name and password, the usw stanza in /etc/security/login.cfg is checked. This stanza sets the maximum number of concurrent logins for a user account. If that number is exceeded, the login is denied and a message is displayed to the user.
14-33
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
/etc/environment
/etc/profile
$HOME/.profile
$HOME/.kshrc
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-35
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
AU1412.0
Users
This option is used to add users to the system, delete existing users and change the characteristics of existing users.
Groups
This option is used to add groups to the system, delete groups and change the characteristics of existing groups.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Passwords
This option is used to change the password for a user. It is also required when setting up a new user or when a user has forgotten their password.
Login Controls
This option provides functions to restrict access for a user account or on a particular terminal.
PKI
PKI stands for X.509 Public Key Infrastructure certificates. This option is used to authenticate users using certificates and to associate certificates with processes as proof of a users identity.
LDAP
LDAP stands for Light Directory Access Protocol. It provides a way to centrally administer common configuration information for many platforms in a networked environment. A common use of LDAP is the central administration of user authentication. The SMIT option here allows us to configure this platform as either an LDAP client or an LDAP server.
Trusted Execution
Trusted Execution (TE) refers to a collection of features that are used to verify the integrity of the system and implement advanced security policies, which together can to used enhance the trust level of the complete system.
14-37
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
SMIT users
# smit users
Users Move cursor to desired item and press Enter. Add a User Change a User's Password Change / Show Characteristics of a User Lock / Unlock a User's Account Reset User's Failed Login Count Remove a User List All Users F1=Help F9=Shell
Figure 14-19. SMIT users
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Remove a User
Removes the user account, but not files owned by that user.
14-39
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Example:
# lsuser a id home ALL root id=0 home=/ daemon id=1 home=/etc bin id=2 home=/bin ... john id=200 home=/home/john ...
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-41
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
# + + + + + + +
AU1412.0
User name
The only value that must be specified is the user name. Traditionally, this name was restricted to 8 characters in length. Beginning with AIX 5L V5.3, this limit can be changed to allow names as long as 255 characters. The limit is modified in the Change/Show Attributes of the Operating System panel (smit chsys).
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-43
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Setting a password
When a new user is created, the ID is disabled (an asterisk * is placed in the password field of the /etc/passwd file). To enable the ID, a password must be set with the Change a User's Password option or either the passwd or pwdadm command.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-45
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-47
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Passwords
A new user ID cannot be used until a password is assigned There are two commands available for making password changes: # passwd [username] # pwdadm username SMIT invokes the passwd command An ordinary user can use the passwd command to change own password Only root or member of security group can change password of another user
Copyright IBM Corporation 2008
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
Notes: Introduction
A series of steps that can be used to recover if you forget the root password are given on this visual.
Step 1
First, you must boot your machine from media other than its normal hard drive. Either an installation CD, a NIM server or a mksysb tape works just fine. Remember to invoke the service boot list, usually by pressing F5 while your machine is booting. Booting in maintenance mode is covered in AU16 course.
14-51
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Step 2
You will need to define your system console and select a language. Then the Installation and Maintenance menu is displayed. Be certain to select Option 3, Start Maintenance Mode for System Recovery. If you select Option 1 or 2, you are reinstalling your operating system.
Step 3
Select the options required to activate the root volume group and start a shell. This gets you access to rootvg without any passwords.
Step 4
Once you get the # prompt, use the passwd command as you normally would to create a new root password.
Step 5
Enter the command # sync ; sync. This ensures that the memory buffer is written to disk. In other words, it ensures that the new root password is saved to disk.
Step 6
Reboot your system. The command shutdown -Fr is a good way to accomplish this.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
SMIT groups
# smit groups
Groups Move cursor to desired item and press Enter. List All Groups Add a Group Change / Show Characteristics of a Group Remove a Group
F1=Help F9=Shell
F2=Refresh F10=Exit
F3=Cancel Enter=Do
F8=Image
AU1412.0
Predefined groups
There are a number of predefined groups on AIX systems, like the system group (which is root's group) and the staff group (which contains the ordinary users).
14-53
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Example:
# lsgroup ALL system id=0 admin=true users=root,test2 registry=compat staff id=1 admin=false users=ipsec,team01,team02,team03, team04,team05,test1,daemon registry=compat bin id=2 admin=true users=root,bin registry=compat sys id=3 admin=true users=root,bin,sys registry=compat adm id=4 admin=true users=bin,adm registry=compat uucp id=5 admin=true users=uucp,nuucp registry=compat ... ipsec id=200 admin=false users= registry=compat
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Add a Group
# smit mkgroup
Add a Group Type or select values in entry fields. Press Enter AFTER making all desired changes. [Entry Fields] * Group NAME ADMINISTRATIVE group? Group ID USER list ADMINISTRATOR list Projects Initial Keystore Mode Keystore Encryption Algorithm Keystore Access F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit [support] false [300] [fred,barney] [fred] [ ] [ ] [ ] [ ] F3=Cancel F7=Edit Enter=Do
Copyright IBM Corporation 2008
+ # + + + + + +
F4=List F8=Image
AU1412.0
The -a option
The mkgroup -a option is used to indicate that the new group is to be an administrative group. Only the root user can add administrative groups to the system.
14-55
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
The -A option
The -A option makes the invoker of the mkgroup command the group administrator.
Keystore Access
The key store will allow the user to utilize files in Encrypted File System. The selection of file will create a key store file associated with this user. It is recommended that file is selected. Select none for no key store to be created. All other EFS (efs_*) attributes will not have any effect.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Group NAME Group ID ADMINISTRATIVE group? USER list ADMINISTRATOR list Projects Initial Keystore Mode Keystore Encryption Algorithm Keystore Access F1=Help F5=Reset F9=Shell F2=Refresh F6=Command F10=Exit
# + + + + + + +
AU1412.0
Group attributes
The group attributes are: - Group ID (id=groupid). It is not advisable to change the group ID, but it is occasionally done immediately after a group has been created to match the ID of a previously deleted group, or a specific group ID needed for a particular software package. - ADMINISTRATIVE group? (admin=true|false). Only the root user can change a group to be an administrative group or make changes to an existing administrative group.
Copyright IBM Corp. 1997, 2008 Unit 14. Security and user administration 14-57
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
- USER list (users=usernames). This is a comma separated list of the names of all the members of the group. The group may be their primary group or an additional one. - ADMINISTRATOR list (adms=adminnames). This is the list of group administrators. - Projects (projects=projectnames). As previously mentioned, this attribute was added to support the Advanced Accounting subsystem.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-59
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
AU1412.0
Notes: Introduction
This lab gives you an opportunity to expand your knowledge of user administration. You add users and groups and review many of the user characteristics. The exercise can be found in your Student Exercise Guide. Be sure to only do Parts 1-5. You will be doing Parts 6-7 at the end of this unit.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
14-61
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Security files
Files used to contain user attributes and control access:
/etc/passwd /etc/group /etc/security Valid users (not passwords) Valid groups Directory not accessible to normal users User passwords User attributes, password restrictions Group attributes User limits User environment settings Login settings
AU1412.0
Notes: Introduction
The security on the system is controlled by a number of ASCII files. Key files are listed on the visual and briefly described below.
/etc/passwd
The /etc/passwd file lists the valid users, and the user ID, primary group, home directory, and default login shell for each of these users.
/etc/group
The /etc/group file lists the valid groups, their group IDs, and members.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
/etc/security/passwd
/etc/security/passwd contains the encrypted password and update information for users.
/etc/security/user
/etc/security/user contains extended user attributes.
/etc/security/group
/etc/security/group contains extended group attributes.
/etc/security/limits
/etc/security/limits contains process resource limits for users.
/etc/security/environ
/etc/security/environ contains environment variables for users. This file is not often used.
/etc/security/login.cfg
/etc/security/login.cfg is a configuration file for the login program. This file contains security enhancements that limit the logins on a port, for example, the number of login attempts and the valid login programs (shells).
14-63
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
/etc/passwd file
# cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh esaadmin:*:811:0::/home/esaadmin:/usr/bin/ksh john:!:200:0:x7560 5th floor:/home/john:/usr/bin/ksh bill:*:201:1::/home/bill:/usr/bin/ksh
Copyright IBM Corporation 2008
AU1412.0
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
GID - The ID of the primary group to which this user belongs. Information - Any descriptive text for the user. Directory - The login directory of the user and the initial value of the $HOME variable. Login program - Specifies the initial program or shell that is executed after a user invokes the login command or su command.
14-65
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
/etc/security/passwd file
# cat /etc/security/passwd
root: password = 92t.mzJBjlfbY lastupdate = 885485990 flags = daemon: password = * bin: password = * ... john: password = q/gD6q.ss21x. lastupdate = 884801337 flags = ADMCHG,ADMIN,NOCHECK
Copyright IBM Corporation 2008
AU1412.0
Index files
As previously mentioned, in AIX, additional files can be created to be used as index files for /etc/security/passwd and some related files. These index files provide for better performance during the login process. These indexes are created using the mkpasswd command.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Entries in /etc/security/passwd
Valid entries in /etc/security/passwd are: password lastupdate flags Either the encrypted password or * for invalid, or blank for no password The date and time of the last password update in seconds from January 1, 1970 ADMCHG - The password was last changed by an administrator or root ADMIN - The user's password can only be changed by root NOCHECK - Password restrictions are not in force for this user (See /etc/security/user for password restrictions.)
14-67
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
/etc/security/user file (1 of 2)
# cat /etc/security/user
default: admin = false login = true su = true daemon = true rlogin = true sugroups = ALL admgroups = ttys = ALL auth1 = SYSTEM auth2 = NONE tpath = nosak umask = 022 expires = 0 ...
Copyright IBM Corporation 2008
AU1412.0
Notes: admin
Defines the administrative status of the user. Possible value: true or false.
login
Defines whether a user can login. Possible values: true or false.
su
Defines whether other users can switch to this user account. The su command supports this attribute. Possible values: true or false.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
daemon
Defines whether the user can execute programs using the system resource controller (SRC). Possible values: true or false.
rlogin
Defines whether the user account can be accessed by remote logins. Commands rlogin and telnet support this attribute. Possible values: true or false.
sugroups
Defines which groups can switch to this user account. Alternatively, you may explicitly deny groups by preceding the group name with a ! character. Possible values: A list of valid groups separated by commas, ALL or *
admgroups
Lists the groups that a user administers. The value is a comma-separated list of valid group names.
ttys
Defines which terminals can access the user account. Alternatively you may explicitly deny terminals by preceding the terminal name with the ! character. Possible values: List of device paths separates by commas, ALL or *
auth1
Defines the primary authentication method for a user. The commands login, telnet, rlogin and su support these authentication methods.
auth2
Defines the secondary authentication methods for a user. It is not a requirement to pass this method to login.
tpath
Defines the user's trusted path characteristics. Possible values: nosak, notsh, always or on. (For more information refer to the online documentation.)
umask
Defines the default umask for the user. Possible values: 3-digit octal value.
14-69
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
expires
Defines the expiration time for the user account. Possible values: a valid date in the form MMDDHHMMYY or 0. If 0, the account does not expire. The 'YY' supports the last two digits of the years 1939 to 2038. If 0101000070 then the account is disabled.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
/etc/security/user file (2 of 2)
default ... SYSTEM = "compat" logintimes = pwdwarntime = 0 account_locked = false loginretries = 0 histexpire = 0 histsize = 0 minage = 0 maxage = 0 maxexpired = -1 minalpha = 0 minother = 0 minlen = 0 mindiff = 0 maxrepeats = 8 dictionlist = pwdchecks =
Copyright IBM Corporation 2008
AU1412.0
Notes: SYSTEM
This attribute can be used to describe multiple or alternate authentication methods the user must use successfully before gaining access to the system. Possible tokens are: files compat DCE Allows only local users access to the system The normal login procedure and therefore allows local and NIS users access to the system The Distributed Computing Environment authentication
14-71
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
logintimes
Defines the times a user can login. The value is a comma separated list of items as follows: [!][MMdd[-MMdd]]:hhmm-hhmm or [!]MMdd[-MMdd][:hhmm-hhmm] or [!][w[-w]]:hhmm-hhmm or [!]w[-w][:hhmm-hhmm] where MM is a month number (00=January, 11-December), dd is the day on the month, hh is the hour of the day (00 - 23), mm is the minute of the hour, and w is the day of the week (0=Sunday, 6=Saturday).
pwdwarntime
The number of days before a forced password change that a warning is given to the user informing them of the impending password change. Possible values: a positive integer or 0 to disable this feature.
account_locked
Defines whether the account is locked. Locked accounts cannot be used for login or su. Possible values: true or false.
loginretries
The number of invalid login attempts before a user is not allowed to login. Possible values: a positive integer or 0 to disable this feature.
histexpire
Defines the period of time in weeks that a user will not be able to reuse a password. Possible values: an integer value between 0 and 260. 26 (approximately 6 months) is the recommended value.
histsize
Defines the number of previous passwords which cannot be reused. Possible values: an integer between 0 and 50.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
minage
Defines the minimum number of weeks between password changes. Default is 0. Range: 0 to 52.
maxage
Defines the maximum number of weeks a password is valid. The default is 0, which is equivalent to unlimited. Range: 0 to 52.
maxexpired
Defines the maximum number of weeks after maxage that an expired password can be changed by a user. The default is -1, which is equivalent to unlimited. Range: -1 to 52. maxage must be greater than 0 for maxexpired to be enforced. (root is exempt from maxexpired).
minalpha
Defines the minimum number of alphabetic characters in a password. The default is 0. Range: 0 to 8.
minother
Defines the minimum number of non-alphabetic characters in a password. The default is 0. Range: 0 to 8.
minlen
Defines the minimum length of a password. The default is 0. Range: 0 to 8. Note that the minimum length of a password is determined by minlen and/or "minalpha + minother", whichever is greater. "minalpha + minother" should never be greater than 8. If "minalpha + minother" is greater than 8, then minother is reduced to "8 minalpha".
mindiff
Defines the minimum number of characters in the new password that were not in the old password. The default is 0. Range: 0 to 8.
maxrepeats
Defines the maximum number of times a given character can appear in a password. The default is 8, which is equivalent to unlimited. Range: 0 to 8.
14-73
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
dictionlist
Defines the password dictionaries used when checking new passwords. The format is a comma separated list of absolute path names to dictionary files. A dictionary file contains one word per line where each word has no leading or trailing white space. Words should only contain 7 bit ASCII characters. All dictionary files and directories should be write protected from everyone except root. The default is valueless which is equivalent to no dictionary checking.
pwdchecks
Defines external password restriction methods used when checking new passwords. The format is a comma separated list of absolute path names to methods or method path names relative to /usr/lib. A password restriction method is a program module that is loaded by the password restrictions code at run time. All password restriction methods and directories should be write protected from everyone except root. The default is valueless, which is equivalent to no external password restriction methods.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Group files
# more /etc/group
system:!:0:root,john staff:!:john bin:!:2:root,bin sys:!:3:root,bin,sys ... usr:!:100:guest accounts:!:200:john ...
# more /etc/security/group
system: admin=true staff: admin=false accounts: admin=false adms=john projects=system
Copyright IBM Corporation 2008
AU1412.0
14-75
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
/etc/security/login.cfg file
default: herald =Authorized use only.\n\rlogin:" logintimes = logindisable = 0 logininterval = 0 loginreenable = 0 logindelay = 0 pwdprompt = "Password: " usernameecho = false
AU1412.0
Notes: herald
Specifies the initial message to be printed out when getty or login prompts for a login name. This value is a string that is written out to the login port. If the herald is not specified, then the default herald is obtained from the message catalog associated with the language set in /etc/environment.
logintimes
Defines the times a user can use this port to login.
logindisable
Number of unsuccessful login attempts before this port is locked. Use this in conjunction with logininterval.
14-77
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
logininterval
The number of seconds during which logindisable unsuccessful attempts must occur for a port to be locked.
loginreenable
The number of minutes after a port is locked that it automatically unlocked.
logindelay
The delay in seconds between unsuccessful login attempts. This delay is multiplied by the number of unsuccessful logins - that is, if the value is two, then the delay between unsuccessful logins is two seconds, then four seconds, then six seconds and so forth.
pwdprompt
Defines the password prompt message printed when requesting password input. The value is a character string.
usernameecho
Defines whether the user name should be echoed on a port. If true (this is the default) the user name echo is enabled. If false, user name echo is disabled. The user name is not echoed at the login prompt and is masked out of security-related messages.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-79
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Additional options for usrck, are as follows: -b -l Reports users who are not able to access the system and the reasons, with the reasons displayed in a bit-mask format. Scans all users or the users specified by the User parameter to determine if the users can access the system.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
AU1412.0
14-81
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Checkpoint (1 of 2)
1. What are the benefits of using the su command to switch user to root over logging in as root?
_____________________________________________________ _____________________________________________________
3. As a member of the security group, which password command would you use?
__________________________________________________
5. True or False? When you delete a user from the system, all the user's files and directories are also deleted.
Copyright IBM Corporation 2008
AU1412.0
Notes:
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Checkpoint (2 of 2)
6. If an ordinary user forgets their password, can the system administrator find out by querying the system as to what the user's password was set to? _______ Why? ___________________ _________________________________________________ 7. Password restrictions are set in which of the following files?
a. b. c. d. /etc/passwd /etc/security/passwd /etc/security/restrictions /etc/security/user
AU1412.0
Notes:
14-83
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Part 6 - Examine the security set up Part 7 - Customizing the login herald
AU1412.0
Notes: Introduction
This lab gives you an opportunity to expand your knowledge of user administration. You will examine the security set up and customize the login herald. The exercise can be found in your Student Exercises Guide.
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V4.1
Student Notebook
Uempty
Unit summary
User and groups can be added and deleted from the system by using SMIT or by using high level commands. Passwords must be set for all users using either pwdadm or passwd. Administrative users and groups can only be administered by root. Every user must be in at least one group. Certain groups give users additional privileges. Security files are located in ASCII text files in the /etc and /etc/security directories.
Copyright IBM Corporation 2008
AU1412.0
Notes:
14-85
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Student Notebook
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.